Closed Bug 1309160 Opened 3 years ago Closed 3 years ago

[Static Analysis][Dereference after null check] In function RematerializedFrame::trace

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox52 --- fixed

People

(Reporter: andi, Assigned: andi)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1373583)

Attachments

(1 file)

The Static Analysis tool Coverity detected that a null pointer deference will happen in:

>>    TraceRootRange(trc, numArgSlots() + isConstructing_ + script_->nfixed(),
>>                   slots_, "remat ion frame stack");

for variable |callee_|

The checker is triggered since |callee_| is checked against null check prior of calling TraceRootRange in a different statement. 

The callstack for the dereference is:
 nargs()
 numArgSlots()
 TraceRootRange()

nargs gets called from |callee_| that is returned via callee() function that has the following code block:

>>    JSFunction* callee() const {
>>        MOZ_ASSERT(isFunctionFrame());
>>        return callee_;
>>    }

The static analysis tool cannot correlate the validity of the assert with the validity of callee_ so i suggest adding null check on callee_ before calling TraceRootRange
So if I understand correctly, we're calling RematerializedFrame::numArgSlots, which calls RematerializedFrame::numFormalArgs:

    unsigned numFormalArgs() const {
        return isFunctionFrame() ? callee()->nargs() : 0;
    }

callee() shouldn't return nullptr if isFunctionFrame(). Can we shut up Coverity by adding MOZ_ASSERT(callee_) to RematerializedFrame::callee()?
Flags: needinfo?(bpostelnicu)
Comment on attachment 8799673 [details]
Bug 1309160 - prevent null pointer dereference when calling TraceRootRange/

https://reviewboard.mozilla.org/r/84812/#review83412
Attachment #8799673 - Flags: review?(jdemooij)
Sure we can do this! I will update the patch.
Flags: needinfo?(bpostelnicu)
Comment on attachment 8799673 [details]
Bug 1309160 - prevent null pointer dereference when calling TraceRootRange/

https://reviewboard.mozilla.org/r/84812/#review83414

Thanks!
Attachment #8799673 - Flags: review?(jdemooij) → review+
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6173757aa33a
prevent null pointer dereference when calling TraceRootRange/ r=jandem
Priority: -- → P1
https://hg.mozilla.org/mozilla-central/rev/6173757aa33a
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.